SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Dynamic VPN on SRX210

    Posted 05-04-2015 12:09

    I'm having a problem setting up dynamic VPN on an SRX210. I can connect to the IP in the untrusted zone, and the VPN connection comes up. I can then ping the IP of the trusted interface on the SRX, but I cannot ping any device on the trusted side.

     

    version 12.1X44-D35.5;
groups {
    node0 {
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 172.20.128.153/28;
                    }
                }
            }
        }
    }
}
system {
    root-authentication {
        encrypted-password "$1$P5gm0DfB$B39xrCbDs9UI0vEWZuaD7/"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
            }
            propagate-settings ge-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address XX.XX.XX.XX/26;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 172.20.128.153/29;
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
protocols {
    stp;
}
security {
    ike {
        policy ike-dyn-vpn-policy {
            mode aggressive;
            proposal-set standard;
            pre-shared-key ascii-text "$9$C19CABEleWx-wM8JGUDkqtu0"; ## SECRET-DATA
        }
        gateway dyn-vpn-local-gw {
            ike-policy ike-dyn-vpn-policy;
            dynamic {
                hostname dynvpn;
                connections-limit 4;
                ike-user-type group-ike-id;
            }
            external-interface ge-0/0/0.0;
            xauth access-profile dyn-vpn-access-profile;
        }
    }
    ipsec {
        policy ipsec-dyn-vpn-policy {
            proposal-set standard;
        }
        vpn dyn-vpn {
            ike {
                gateway dyn-vpn-local-gw;
                ipsec-policy ipsec-dyn-vpn-policy;
            }
        }
    }
    dynamic-vpn {
        access-profile dyn-vpn-access-profile;
        clients {
            all {
                remote-protected-resources {
                    172.20.128.152/29;
                }
                remote-exceptions {
                    0.0.0.0/0;
                }
                ipsec-vpn dyn-vpn;
                user {
                    client1;
                    client2;
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy untrust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy dyn-vpn-policy {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn dyn-vpn;
                        }
                    }
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
                ge-0/0/1.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                            ike;
                            http;
                            ping;
                            ssh;
                            https;
                        }
                    }
                }
            }
        }
    }
}
access {
    profile dyn-vpn-access-profile {
        client client1 {
            firewall-user {
                password "$9$/vnI90IyrvL7VKMoJ"; ## SECRET-DATA
            }
        }
        client client2 {
            firewall-user {
                password "$9$CNC5ABEleWx-wM8ZU"; ## SECRET-DATA
            }
        }
        address-assignment {
            pool dyn-vpn-address-pool;
        }
    }
    address-assignment {
        pool dyn-vpn-address-pool {
            family inet {
                network 192.168.100.0/29;
            }
        }
    }
    firewall-authentication {
        web-authentication {
            default-profile dyn-vpn-access-profile;
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

    Anyone got any ideas as to what the issue is? 



  • 2.  RE: Dynamic VPN on SRX210

     
    Posted 05-04-2015 13:40
    You need to add the trust Network 192.168.1.0/24 to the remote-protected-resources! What junos version are you running ?


  • 3.  RE: Dynamic VPN on SRX210

    Posted 05-04-2015 14:34

    Junos Version 12.1X44-D35.5;

     

    That 192.168.1.0/24 is part of the default config that I haven't removed. I'm just using the XX.XX.XX.XX public address on the untrusted interface and the 172.20.128.0 address on the trusted interface.



  • 4.  RE: Dynamic VPN on SRX210
    Best Answer

     
    Posted 05-05-2015 00:55
    You have 172.20.128.153/28 configured on the fxp internet fase but also on the ge-0/0/0 interface.

    You need to change one of those to an other ip allocation


  • 5.  RE: Dynamic VPN on SRX210

    Posted 05-05-2015 10:20

    Thanks, not sure if that was 100% of the solution as I tried a few other things also around the same time, but its working now so I'm happy.



  • 6.  RE: Dynamic VPN on SRX210

     
    Posted 05-05-2015 21:55

    great that it is solved! What Junos version are you running at this moment ? Their are some "bugs" with dynamic-vpn and handing out IP's to the clients. Just currious if you have the same problem ?